Posts by brokencomputer

brokencomputer · Nov 28, 2008

i've been trying to kill this virus for a few days with combofix and HJT logs with no success...

symptoms:
1. C:\Windows\Update.dll
basically adds a bunch of .cn (Chinese) entries to "HOSTS" file
appears as rundll32.exe in task manager

2. random .dll's in C:\Windows\system32
such as "950D1600.dll"

3. System.exe file in system32
in properties
description: HB Inject Application Version 1.2.1.1007
copyright: Copyright ? 2008, HB Software
original file name: HBInject.exe
4. C:\Program Files\Messenger\msgmr.dll
appears as rundll32.exe in task manager

5. changing of startup entries in msconfig, specifically to include the System.exe, msgmr.dll, and Update.dll

6. C:\Documents and Settings\(user name)\Local Settings\temp\wmsetup.dll
perflib_perfdata(random three #/letter sequence).dat is also in that folder

7. none of these files can be deleted unless in safe mode or during restart

for a few days, I simply killed the rundll32.exe processes and manually changed the HOSTS file

then i deleted the msgmr.dll and update.dll files, but they reappeared

two days ago, I checked my HJT log, and found a bunch of weird registry things, so I opened regedit and deleted every one of them
one of them had to do w/ "thunderadvise.dll", which i promptly deleted

the HJT log was clean, but only temporarily

I ran combofix several times and it deleted everything i've mentioned above but...

the same symptoms keep appearing

DDS log

DDS (Version 1.0) - NTFSx86
Run by demo at 15:22:40.89 on Thu 11/27/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.628 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\demo\Desktop\New Folder (2)\opera\op.com
C:\Documents and Settings\demo\Desktop\dds.scr

============== Psuedo HJT Report ===============

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [HBService32] System.exe
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: HBmhly.dll
SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - c:\program files\messenger\msgmr.dll
SEH: {950D1600-DE4A-448D-93B4-7BAE5A7A8052} - 950D1600.dll
SEH: {DFB3DAC5-B0B5-4B05-BFCF-FB42737778FA} - DFB3DAC5.dll
SEH: {DA63E650-537C-4042-87BB-9D19D844680B} - DA63E650.dll

============= SERVICES / DRIVERS ===============

R3 d812a079;d812a079;\??\c:\windows\system32\d812a079.sys [2008-11-27 5504]
S0 HBKernel32;HBKernel32 Driver;c:\windows\system32\drivers\HBKernel32.sys [2008-11-27 14699]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 6457aed;6457aed;\??\c:\windows\system32\6457aed.sys [2008-11-27 5504]
S3 b160485;b160485;\??\c:\windows\system32\b160485.sys [2008-11-18 5504]
S3 d435fd4;d435fd4;\??\c:\windows\system32\d435fd4.sys [2008-11-16 5504]
S3 de8296f;de8296f;\??\c:\windows\system32\de8296f.sys [2008-11-12 5504]
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-3-23 17280]

=============== Created Last 30 ================

2008-11-27 15:05 250 a------- c:\windows\gmer.ini
2008-11-27 14:58 19,968 a------- c:\windows\system32\HBmhly.dll
2008-11-27 14:58 7,680 a------- c:\windows\system32\System.exe
2008-11-27 14:58 14,699 a------- c:\windows\system32\drivers\HBKernel32.sys
2008-11-27 14:58 13,080 a--sh--- c:\windows\system32\DA63E650.dll
2008-11-27 14:58 252 a--sh--- c:\windows\system32\DA63E650.cfg
2008-11-27 14:58 5,504 a------- c:\windows\system32\6457aed.sys
2008-11-27 14:58 14,076 a--sh--- c:\windows\system32\DFB3DAC5.dll
2008-11-27 14:58 216,451 a--sh--- c:\windows\system32\950D1600.dll
2008-11-27 14:58 344 a--sh--- c:\windows\system32\950D1600.cfg
2008-11-27 14:58 5,504 a------- c:\windows\system32\d812a079.sys
2008-11-27 14:58 237,568 a------- c:\windows\Update.dll
2008-11-27 14:31 <DIR> --d----- C:\ComboFix
2008-11-27 14:08 208 a--sh--- c:\windows\system32\A1A6BC2E.cfg
2008-11-27 13:45 1,298 a------- c:\windows\system32\tmp.reg
2008-11-27 13:44 289,144 a------- c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 288,417 a------- c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 87,552 a------- c:\windows\system32\VACFix.exe
2008-11-27 13:44 82,944 a------- c:\windows\system32\o4Patch.exe
2008-11-27 13:44 82,944 a------- c:\windows\system32\IEDFix.exe
2008-11-27 13:44 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-11-27 13:44 82,432 a------- c:\windows\system32\404Fix.exe
2008-11-27 13:44 53,248 a------- c:\windows\system32\Process.exe
2008-11-27 13:44 51,200 a------- c:\windows\system32\dumphive.exe
2008-11-27 13:44 25,600 a------- c:\windows\system32\WS2Fix.exe
2008-11-26 19:20 <DIR> --d----- c:\program files\Messenger
2008-11-26 19:05 161,792 a------- c:\windows\SWREG.exe
2008-11-26 19:05 98,816 a------- c:\windows\sed.exe
2008-11-26 13:31 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-11-26 12:37 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-26 12:37 1,409 a------- c:\windows\QTFont.for
2008-11-25 14:06 236 a--sh--- c:\windows\system32\FFAE967F.cfg
2008-11-25 14:06 432 a--sh--- c:\windows\system32\D9C002DD.cfg
2008-11-25 13:36 <DIR> --d----- c:\docume~1\demo\applic~1\Download Manager
2008-11-21 17:18 208 a--sh--- c:\windows\system32\DFB3DAC5.cfg
2008-11-20 16:11 145 a------- c:\windows\Eudcedit.ini
2008-11-18 14:28 244 a--sh--- c:\windows\system32\E1D19FCC.cfg
2008-11-18 14:28 5,504 a------- c:\windows\system32\b160485.sys
2008-11-16 18:39 5,504 a------- c:\windows\system32\d435fd4.sys
2008-11-15 14:10 <DIR> --d----- c:\docume~1\demo\applic~1\Audacity
2008-11-15 13:40 <DIR> --d----- c:\docume~1\demo\applic~1\FrostWire
2008-11-15 13:25 220 a--sh--- c:\windows\system32\B8E83D3C.cfg
2008-11-15 13:23 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-13 18:08 5,504 a------- c:\windows\system32\f35ee9e.sys
2008-11-12 20:28 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 20:28 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-12 16:47 5,504 a------- c:\windows\system32\de8296f.sys
2008-11-05 18:00 204 a--sh--- c:\windows\system32\C8FFD223.cfg
2008-11-05 17:57 272 a--sh--- c:\windows\system32\F2CBFAC4.cfg
2008-11-03 15:30 <DIR> --d----- c:\windows\pss
2008-11-03 15:20 204 a--sh--- c:\windows\system32\E5D39975.cfg
2008-11-03 15:19 436 a--sh--- c:\windows\system32\F8E07BB2.cfg
2008-11-02 16:50 <DIR> --d-h--- c:\windows\[email protected]
2008-11-01 13:30 <DIR> --d----- C:\New Folder (x)
2008-11-01 13:10 <DIR> --d----- c:\docume~1\demo\applic~1\uTorrent
2008-10-29 14:31 <DIR> --d----- c:\windows\Cache

==================== Find3M ====================

2008-11-14 19:12 <DIR> --d----- c:\docume~1\demo\applic~1\vlc
2008-11-06 14:02 <DIR> --d----- c:\program files\MUSICMATCH
2008-11-06 13:59 <DIR> --d----- c:\program files\lynx
2008-11-06 13:57 <DIR> --d----- c:\docume~1\demo\applic~1\Dev-Cpp
2008-11-06 13:56 <DIR> --d----- c:\program files\Apoint
2008-11-02 17:00 27,136 a------- c:\windows\apppatch\AcLue.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 03:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-04 08:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-29 20:06 1,350,664 a------- c:\windows\system32\msxml6.dll
2008-01-21 11:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2007-10-09 20:38 <DIR> --d----- c:\docume~1\demo\applic~1\ScanSoft
2007-09-10 21:10 <DIR> --d----- c:\docume~1\demo\applic~1\NJStar
2006-09-13 15:18 <DIR> --d----- c:\docume~1\demo\applic~1\Ethereal
2006-06-01 12:02 <DIR> --d----- c:\docume~1\demo\applic~1\WildPackets
2006-05-31 23:58 <DIR> --d----- c:\docume~1\demo\applic~1\PDFill
2006-05-31 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2006-05-31 19:41 <DIR> --d----- c:\docume~1\demo\applic~1\MSNInstaller
2006-03-16 17:18 <DIR> --d----- c:\docume~1\demo\applic~1\Mikrotik
2006-03-11 16:07 <DIR> --d--r-- c:\docume~1\demo\applic~1\Brother
2006-03-11 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2006-01-18 16:51 <DIR> --d----- c:\docume~1\demo\applic~1\Symantec
2005-11-10 17:23 <DIR> --d----- c:\docume~1\demo\applic~1\Intel
2005-11-10 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel
2005-10-14 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2005-10-14 20:43 <DIR> --d----- c:\docume~1\demo\applic~1\Jasc Software Inc
2004-08-10 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2006-05-31 13:40 56 a--shr-- c:\windows\system32\2354A42A8E.sys

============= FINISH: 15:22:49.65 ===============

brokencomputer · Nov 29, 2008

should i run in safe mode or regular?

brokencomputer · Nov 29, 2008

COMBOFIX LOG...

ComboFix 08-11-28.02 - demo 2008-11-28 17:08:47.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.677 [GMT -8:00]
Running from: c:\documents and settings\demo\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\system32\6457aed.sys
c:\windows\system32\950D1600.cfg
c:\windows\system32\950D1600.dll
c:\windows\system32\b160485.sys
c:\windows\system32\d812a079.sys
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFB3DAC5.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\HBmhly.dll
c:\windows\system32\system.exe
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Legacy_D812A079
-------\Service_6457aed
-------\Service_b160485
-------\Service_d812a079
-------\Service_HBKernel32

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-27 15:05 . 2008-11-27 15:07 250 --a------ c:\windows\gmer.ini
2008-11-27 14:08 . 2008-11-27 14:08 208 --ahs---- c:\windows\system32\A1A6BC2E.cfg
2008-11-27 13:45 . 2008-11-27 13:45 1,298 --a------ c:\windows\system32\tmp.reg
2008-11-27 13:44 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-27 13:44 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-27 13:44 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-27 13:44 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-27 13:44 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-27 13:44 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-27 13:44 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-27 13:44 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-26 13:31 . 2008-11-26 13:31 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-26 13:05 . 2008-11-26 14:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-26 12:37 . 2008-11-26 12:37 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-26 12:37 . 2008-11-26 12:37 1,409 --a------ c:\windows\QTFont.for
2008-11-25 14:06 . 2008-11-27 14:08 432 --ahs---- c:\windows\system32\D9C002DD.cfg
2008-11-25 14:06 . 2008-11-25 14:06 236 --ahs---- c:\windows\system32\FFAE967F.cfg
2008-11-25 13:36 . 2008-11-25 16:47 <DIR> d-------- c:\documents and settings\demo\Application Data\Download Manager
2008-11-20 16:11 . 2008-11-20 16:11 145 --a------ c:\windows\Eudcedit.ini
2008-11-18 14:28 . 2008-11-18 14:28 244 --ahs---- c:\windows\system32\E1D19FCC.cfg
2008-11-16 18:39 . 2008-11-16 18:39 5,504 --a------ c:\windows\system32\d435fd4.sys
2008-11-15 14:10 . 2008-11-23 17:10 <DIR> d-------- c:\documents and settings\demo\Application Data\Audacity
2008-11-15 13:40 . 2008-11-25 20:22 <DIR> d-------- c:\documents and settings\demo\Application Data\FrostWire
2008-11-15 13:25 . 2008-11-15 13:25 220 --ahs---- c:\windows\system32\B8E83D3C.cfg
2008-11-15 13:23 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-13 18:08 . 2008-11-13 18:08 5,504 --a------ c:\windows\system32\f35ee9e.sys
2008-11-12 20:28 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:28 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 16:47 . 2008-11-12 16:47 5,504 --a------ c:\windows\system32\de8296f.sys
2008-11-05 18:00 . 2008-11-05 18:00 204 --ahs---- c:\windows\system32\C8FFD223.cfg
2008-11-05 17:57 . 2008-11-05 17:57 272 --ahs---- c:\windows\system32\F2CBFAC4.cfg
2008-11-03 15:20 . 2008-11-03 15:20 204 --ahs---- c:\windows\system32\E5D39975.cfg
2008-11-03 15:19 . 2008-11-26 14:44 436 --ahs---- c:\windows\system32\F8E07BB2.cfg
2008-11-02 16:50 . 2008-11-02 16:52 <DIR> d--h----- c:\windows\[email protected]
2008-11-01 13:30 . 2008-11-01 13:30 <DIR> d-------- C:\New Folder (x)
2008-11-01 13:10 . 2008-11-26 13:03 <DIR> d-------- c:\documents and settings\demo\Application Data\uTorrent
2008-10-29 14:31 . 2008-10-29 14:31 <DIR> d-------- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 21:23 --------- d-----w c:\program files\Java
2008-11-15 03:12 --------- d-----w c:\documents and settings\demo\Application Data\vlc
2008-11-06 22:02 --------- d-----w c:\program files\MUSICMATCH
2008-11-06 21:59 --------- d-----w c:\program files\lynx
2008-11-06 21:57 --------- d-----w c:\documents and settings\demo\Application Data\Dev-Cpp
2008-11-06 21:56 --------- d-----w c:\program files\Apoint
2008-11-03 23:30 --------- d-----w c:\documents and settings\demo\Application Data\OpenOffice.org2
2008-10-25 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2006-05-31 21:40 56 --sha-r c:\windows\system32\2354A42A8E.sys
.

((((((((((((((((((((((((((((( [email protected]_14.41.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 23:05:47 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-11-27 23:05:47 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-10-03 22:59 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Client.exe]
"Debugger"=c:\windows\system32\windg.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^demo^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\demo\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3PMmUpdate]
c:\windows\Update.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 18:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 13:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2005-10-03 23:03 356352 c:\program files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 14:57 221184 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-07-25 06:14 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
-ra------ 2003-08-20 13:15 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
-ra------ 2003-08-20 13:23 49152 c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-10-03 22:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-10-03 22:59 401408 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 13:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 13:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2004-04-11 17:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-19 23:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-01 10:37 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-01 10:19 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Brother XP spl Service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"IDriverT"=3 (0x3)
"brmfrmps"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OwnershipProtocol"=2 (0x2)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dude\\dudes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\[email protected]\\iexplorer.exe"=
"c:\\Documents and Settings\\demo\\My Documents\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 d435fd4;d435fd4;\??\c:\windows\system32\d435fd4.sys [2008-11-16 5504]
S3 de8296f;de8296f;\??\c:\windows\system32\de8296f.sys [2008-11-12 5504]
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c21fc2e-582f-11dc-bfa0-0013ce46134d}]
\shell\explore\Command - G:\boot.exe
\shell\open\Command - G:\boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c1227fb-af5d-11dc-bfaa-00123feb0953}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7200#CN41E3B0HZI5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]

2008-11-27 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 13:23]

2008-11-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HBService32 - System.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 21:53:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\IWPDGINA.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-28 21:55:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 05:55:28
ComboFix2.txt 2008-11-27 22:43:26
ComboFix3.txt 2008-11-27 03:17:25

Pre-Run: 2,450,796,544 bytes free
Post-Run: 2,440,110,080 bytes free

259 --- E O F --- 2008-11-13 23:46:28

OTHER STUFF:

1. i forgot to tell you earlier that explorer.exe doesn't load (how convenient)

, not even in safe mode nor with the run function of task manager
i'm doing everything with taskmanager now...
idk whether the virus did it or my randomly deleting of registry entries..

2. combofix didn't work too well... again

3. the virus has also inhabited the system32/drivers folder

4. after the combofix scan i deleted the crp in the HOSTS file, and killed off like 5 rundll32.exe's w/ task manager

brokencomputer · Nov 29, 2008

ComboFix 08-11-29.03 - demo 2008-11-29 14:22:42.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639 [GMT -8:00]
Running from: c:\documents and settings\demo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\demo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\404Fix.exe
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\d435fd4.sys
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\de8296f.sys
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\E5D39975.cfg
c:\windows\system32\F2CBFAC4.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\windg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcXtrnel.sdb
c:\windows\Downloaded Program Files\ThunderAdvise.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\[email protected]
c:\windows\[email protected]\00000000.256
c:\windows\[email protected]\binkw32.dll
c:\windows\[email protected]\chktrust.exe
c:\windows\[email protected]\config.txt
c:\windows\[email protected]\CONTENT\1024editbox.ksml
c:\windows\[email protected]\CONTENT\1024log.ksml
c:\windows\[email protected]\CONTENT\1200editbox.ksml
c:\windows\[email protected]\CONTENT\1200log.ksml
c:\windows\[email protected]\CONTENT\480editbox.ksml
c:\windows\[email protected]\CONTENT\480log.ksml
c:\windows\[email protected]\CONTENT\576editbox.ksml
c:\windows\[email protected]\CONTENT\576log.ksml
c:\windows\[email protected]\CONTENT\600editbox.ksml
c:\windows\[email protected]\CONTENT\600log.ksml
c:\windows\[email protected]\CONTENT\720editbox.ksml
c:\windows\[email protected]\CONTENT\720log.ksml
c:\windows\[email protected]\CONTENT\768editbox.ksml
c:\windows\[email protected]\CONTENT\768log.ksml
c:\windows\[email protected]\CONTENT\864editbox.ksml
c:\windows\[email protected]\CONTENT\864log.ksml
c:\windows\[email protected]\CONTENT\900editbox.ksml
c:\windows\[email protected]\CONTENT\900log.ksml
c:\windows\[email protected]\CONTENT\960editbox.ksml
c:\windows\[email protected]\CONTENT\960log.ksml
c:\windows\[email protected]\CONTENT\GALLERY\editbox1024.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox1200.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox480.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox576.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox600.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox720.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox768.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox864.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox900.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox960.png
c:\windows\[email protected]\CONTROLS\controls.dll
c:\windows\[email protected]\CONTROLS\controls.ini
c:\windows\[email protected]\drvmgt.dll
c:\windows\[email protected]\EBUSetup.sem
c:\windows\[email protected]\ending.bik
c:\windows\[email protected]\eula.dll
c:\windows\[email protected]\eula.rtf
c:\windows\[email protected]\favicon.ico
c:\windows\[email protected]\gamespy.ico
c:\windows\[email protected]\GSArcade.exe
c:\windows\[email protected]\haloupdate.cfg
c:\windows\[email protected]\iexplorer.exe
c:\windows\[email protected]\Keystone.dll
c:\windows\[email protected]\ksimeui.dll
c:\windows\[email protected]\ksml.xsd
c:\windows\[email protected]\MAPS\a10.map
c:\windows\[email protected]\MAPS\a30.map
c:\windows\[email protected]\MAPS\a50.map
c:\windows\[email protected]\MAPS\b30.map
c:\windows\[email protected]\MAPS\b40.map
c:\windows\[email protected]\MAPS\beavercreek.map
c:\windows\[email protected]\MAPS\bitmaps.map
c:\windows\[email protected]\MAPS\bloodgulch.map
c:\windows\[email protected]\MAPS\boardingaction.map
c:\windows\[email protected]\MAPS\c10.map
c:\windows\[email protected]\MAPS\c20.map
c:\windows\[email protected]\MAPS\c40.map
c:\windows\[email protected]\MAPS\carousel.map
c:\windows\[email protected]\MAPS\chillout.map
c:\windows\[email protected]\MAPS\d20.map
c:\windows\[email protected]\MAPS\d40.map
c:\windows\[email protected]\MAPS\damnation.map
c:\windows\[email protected]\MAPS\dangercanyon.map
c:\windows\[email protected]\MAPS\deathisland.map
c:\windows\[email protected]\MAPS\gephyrophobia.map
c:\windows\[email protected]\MAPS\hangemhigh.map
c:\windows\[email protected]\MAPS\icefields.map
c:\windows\[email protected]\MAPS\infinity.map
c:\windows\[email protected]\MAPS\longest.map
c:\windows\[email protected]\MAPS\prisoner.map
c:\windows\[email protected]\MAPS\putput.map
c:\windows\[email protected]\MAPS\ratrace.map
c:\windows\[email protected]\MAPS\sidewinder.map
c:\windows\[email protected]\MAPS\sounds.map
c:\windows\[email protected]\MAPS\timberland.map
c:\windows\[email protected]\MAPS\ui.map
c:\windows\[email protected]\MAPS\wizard.map
c:\windows\[email protected]\mgspid.dll
c:\windows\[email protected]\msvcr71.dll
c:\windows\[email protected]\msxmlenu.msi
c:\windows\[email protected]\ogg.dll
c:\windows\[email protected]\patchw32.dll
c:\windows\[email protected]\Readme.rtf
c:\windows\[email protected]\SETUPENU.DLL
c:\windows\[email protected]\SHADERS\fx.bin
c:\windows\[email protected]\SHADERS\vsh.bin
c:\windows\[email protected]\Shortcut to iexplorer.exe.lnk
c:\windows\[email protected]\Strings.dll
c:\windows\[email protected]\Thumbs.db
c:\windows\[email protected]\unicows.dll
c:\windows\[email protected]\vorbis.dll
c:\windows\[email protected]\vorbisfile.dll
c:\windows\[email protected]\WATSON\1028\dwintl.dll
c:\windows\[email protected]\WATSON\1031\dwintl.dll
c:\windows\[email protected]\WATSON\1033\dwintl.dll
c:\windows\[email protected]\WATSON\1035\dwintl.dll
c:\windows\[email protected]\WATSON\1036\dwintl.dll
c:\windows\[email protected]\WATSON\1040\dwintl.dll
c:\windows\[email protected]\WATSON\1041\dwintl.dll
c:\windows\[email protected]\WATSON\1042\dwintl.dll
c:\windows\[email protected]\WATSON\1046\dwintl.dll
c:\windows\[email protected]\WATSON\2052\dwintl.dll
c:\windows\[email protected]\WATSON\2070\dwintl.dll
c:\windows\[email protected]\WATSON\3076\dwintl.dll
c:\windows\[email protected]\WATSON\3082\dwintl.dll
c:\windows\[email protected]\WATSON\dw15.exe
c:\windows\[email protected]\xiph_license.txt
c:\windows\system32\01AFE3DC.dll
c:\windows\system32\06EA0A93.cfg
c:\windows\system32\06EA0A93.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\14F7F80A.cfg
c:\windows\system32\14F7F80A.dll
c:\windows\system32\201476D0.dll
c:\windows\system32\29EA67E0.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\2EF0D734.dll
c:\windows\system32\34A25F04.cfg
c:\windows\system32\34A25F04.dll
c:\windows\system32\39349BEE.cfg
c:\windows\system32\39349BEE.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\56BC86C7.cfg
c:\windows\system32\56BC86C7.dll
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll
c:\windows\system32\6457aed.sys
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\7E983C60.dll
c:\windows\system32\8566F82E.cfg
c:\windows\system32\8566F82E.dll
c:\windows\system32\93DEE065.dll
c:\windows\system32\950D1600.cfg
c:\windows\system32\950D1600.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\A55F538E.dll
c:\windows\system32\b160485.sys
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B3721C07.dll
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\d435fd4.sys
c:\windows\system32\d812a079.sys
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\D9C002DD.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\de8296f.sys
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFB3DAC5.dll
c:\windows\system32\drivers\eth8023.sys
c:\windows\system32\E0D39066.cfg
c:\windows\system32\E0D39066.dll
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\E5D39975.cfg
c:\windows\system32\F2CBFAC4.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\FFAE967F.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\system.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\windg.exe
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Legacy_D435FD4
-------\Legacy_D812A079
-------\Legacy_DE8296F
-------\Legacy_ETH8023
-------\Legacy_F35EE9E
-------\Service_6457aed
-------\Service_b160485
-------\Service_d435fd4
-------\Service_d812a079
-------\Service_de8296f
-------\Service_eth8023
-------\Service_f35ee9e
-------\Service_HBKernel32

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-28 21:59 . 2008-11-28 21:59 196 --ahs---- c:\windows\system32\201476D0.cfg
2008-11-28 21:59 . 2008-11-28 21:59 180 --ahs---- c:\windows\system32\A55F538E.cfg
2008-11-27 15:05 . 2008-11-27 15:07 250 --a------ c:\windows\gmer.ini
2008-11-27 13:45 . 2008-11-27 13:45 1,298 --a------ c:\windows\system32\tmp.reg
2008-11-27 13:44 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-27 13:44 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-27 13:44 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-27 13:44 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-26 13:31 . 2008-11-26 13:31 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-26 13:05 . 2008-11-26 14:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-26 12:37 . 2008-11-26 12:37 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-26 12:37 . 2008-11-26 12:37 1,409 --a------ c:\windows\QTFont.for
2008-11-25 13:36 . 2008-11-25 16:47 <DIR> d-------- c:\documents and settings\demo\Application Data\Download Manager
2008-11-20 16:11 . 2008-11-20 16:11 145 --a------ c:\windows\Eudcedit.ini
2008-11-15 14:10 . 2008-11-23 17:10 <DIR> d-------- c:\documents and settings\demo\Application Data\Audacity
2008-11-15 13:40 . 2008-11-25 20:22 <DIR> d-------- c:\documents and settings\demo\Application Data\FrostWire
2008-11-15 13:23 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 20:28 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:28 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-01 13:30 . 2008-11-01 13:30 <DIR> d-------- C:\New Folder (x)
2008-11-01 13:10 . 2008-11-26 13:03 <DIR> d-------- c:\documents and settings\demo\Application Data\uTorrent
2008-10-29 14:31 . 2008-10-29 14:31 <DIR> d-------- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 06:00 24,625 ----a-w c:\windows\MSVB50CHS.dll
2008-11-29 06:00 20,480 ----a-w c:\windows\MPKrnl.dll
2008-11-29 06:00 10,240 ----a-w c:\windows\MKMKrnl.dll
2008-11-26 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 21:23 --------- d-----w c:\program files\Java
2008-11-15 03:12 --------- d-----w c:\documents and settings\demo\Application Data\vlc
2008-11-06 22:02 --------- d-----w c:\program files\MUSICMATCH
2008-11-06 21:59 --------- d-----w c:\program files\lynx
2008-11-06 21:57 --------- d-----w c:\documents and settings\demo\Application Data\Dev-Cpp
2008-11-06 21:56 --------- d-----w c:\program files\Apoint
2008-11-03 23:30 --------- d-----w c:\documents and settings\demo\Application Data\OpenOffice.org2
2008-10-25 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2006-05-31 21:40 56 --sha-r c:\windows\system32\2354A42A8E.sys
.

((((((((((((((((((((((((((((( [email protected]_14.41.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 23:05:47 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-07-02 16:58:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-29 06:15:55 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-29 06:15:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-29 06:15:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-27 23:05:47 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2004-08-04 12:00:00 22,016 --s---r c:\windows\system32\oleadp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"MPKrnl"="c:\windows\MPKrnl.dll" [2008-11-28 20480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"="c:\windows\MKMKrnl.dll" [2008-11-28 10240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"= "F8E07BB2.dll" [BU]
"{D9C002DD-EA51-43A2-9009-54EAAAF031A4}"= "D9C002DD.dll" [BU]
"{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}"= "A1A6BC2E.dll" [BU]
"{201476D0-2B18-462E-AB9F-3E2B0CC8732B}"= "201476D0.dll" [BU]
"{A55F538E-9E65-4706-9458-852BF6592063}"= "A55F538E.dll" [BU]
"{FFAE967F-D0FC-4D2B-A0F5-D1BF27F46418}"= "FFAE967F.dll" [BU]
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"= "93DEE065.dll" [BU]
"{29EA67E0-9EE5-4D1A-A056-5B7BDAC4CF97}"= "29EA67E0.dll" [BU]
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"= "01AFE3DC.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Upnp"= {DE01DA19-A6A8-EB80-4D47-248DEB2A9399} - c:\windows\system32\upnpsrv.dll [2004-08-04 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-10-03 22:59 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HelpSvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.kxp]
"Debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^demo^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\demo\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3PMmUpdate]
c:\windows\Update.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 18:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 13:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2005-10-03 23:03 356352 c:\program files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 14:57 221184 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-07-25 06:14 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
-ra------ 2003-08-20 13:15 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
-ra------ 2003-08-20 13:23 49152 c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-10-03 22:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-10-03 22:59 401408 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 13:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 13:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2004-04-11 17:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-19 23:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-01 10:37 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-01 10:19 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Brother XP spl Service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"IDriverT"=3 (0x3)
"brmfrmps"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OwnershipProtocol"=2 (0x2)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dude\\dudes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c1227fb-af5d-11dc-bfaa-00123feb0953}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7200#CN41E3B0HZI5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]

2008-11-29 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 13:23]

2008-11-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{7E983C60-EBF5-4A36-BE25-EA26ED55052B} - 7E983C60.dll

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 14:31:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\IWPDGINA.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\oleadp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-29 14:33:21 - machine was rebooted [demo]
ComboFix-quarantined-files.txt 2008-11-29 22:33:19
ComboFix2.txt 2008-11-29 05:55:32
ComboFix3.txt 2008-11-27 22:43:26
ComboFix4.txt 2008-11-27 03:17:25

Pre-Run: 2,500,739,072 bytes free
Post-Run: 2,464,583,680 bytes free

464 --- E O F --- 2008-11-13 23:46:28

brokencomputer · Nov 29, 2008

again, same symptoms appear...

currently, the problems only occur during startup..., after killing a few processes with task manager, the virus becomes dormant (i think)

i do not use any antivirus programs, as i plan to switch to linux soon.
i am 99% certain that this laptop became infected as a result of my mother's browsing of random asian sites...

i attached a copy of the previously mentioned "Update.dll" file in a .txt format, in case that may help

brokencomputer · Nov 30, 2008

ComboFix 08-11-29.03 - demo 2008-11-29 15:02:29.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.636 [GMT -8:00]
Running from: c:\documents and settings\demo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\demo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\MKMKrnl.dll
c:\windows\MPKrnl.dll
c:\windows\MSVB50CHS.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\A55F538E.cfg
c:\windows\system32\oleadp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\MKMKrnl.dll
c:\windows\MPKrnl.dll
c:\windows\MSVB50CHS.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\12316E69.dll
c:\windows\system32\14F7F80A.cfg
c:\windows\system32\14F7F80A.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\201476D0.dll
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\56BC86C7.cfg
c:\windows\system32\56BC86C7.dll
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll
c:\windows\system32\6457aed.sys
c:\windows\system32\950D1600.cfg
c:\windows\system32\950D1600.dll
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\A55F538E.cfg
c:\windows\system32\A55F538E.dll
c:\windows\system32\b160485.sys
c:\windows\system32\d812a079.sys
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\D9C002DD.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFB3DAC5.dll
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\FFAE967F.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\oleadp.dll
c:\windows\system32\system.exe
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Service_6457aed
-------\Service_b160485
-------\Service_d812a079
-------\Service_HBKernel32

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 14:37 . 2008-11-29 14:37 244 --ahs---- c:\windows\system32\12316E69.cfg
2008-11-29 14:36 . 2008-11-29 14:36 5,504 --a------ c:\windows\system32\b71fe93.sys
2008-11-27 15:05 . 2008-11-27 15:07 250 --a------ c:\windows\gmer.ini
2008-11-27 13:45 . 2008-11-27 13:45 1,298 --a------ c:\windows\system32\tmp.reg
2008-11-27 13:44 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-27 13:44 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-27 13:44 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-27 13:44 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-26 13:31 . 2008-11-26 13:31 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-26 13:05 . 2008-11-26 14:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-26 12:37 . 2008-11-26 12:37 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-26 12:37 . 2008-11-26 12:37 1,409 --a------ c:\windows\QTFont.for
2008-11-25 13:36 . 2008-11-25 16:47 <DIR> d-------- c:\documents and settings\demo\Application Data\Download Manager
2008-11-20 16:11 . 2008-11-20 16:11 145 --a------ c:\windows\Eudcedit.ini
2008-11-15 14:10 . 2008-11-23 17:10 <DIR> d-------- c:\documents and settings\demo\Application Data\Audacity
2008-11-15 13:40 . 2008-11-25 20:22 <DIR> d-------- c:\documents and settings\demo\Application Data\FrostWire
2008-11-15 13:23 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 20:28 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:28 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-01 13:10 . 2008-11-26 13:03 <DIR> d-------- c:\documents and settings\demo\Application Data\uTorrent
2008-10-29 14:31 . 2008-10-29 14:31 <DIR> d-------- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 21:23 --------- d-----w c:\program files\Java
2008-11-15 03:12 --------- d-----w c:\documents and settings\demo\Application Data\vlc
2008-11-06 22:02 --------- d-----w c:\program files\MUSICMATCH
2008-11-06 21:59 --------- d-----w c:\program files\lynx
2008-11-06 21:57 --------- d-----w c:\documents and settings\demo\Application Data\Dev-Cpp
2008-11-06 21:56 --------- d-----w c:\program files\Apoint
2008-11-03 23:30 --------- d-----w c:\documents and settings\demo\Application Data\OpenOffice.org2
2008-10-25 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2006-05-31 21:40 56 --sha-r c:\windows\system32\2354A42A8E.sys
.

((((((((((((((((((((((((((((( [email protected]_14.41.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 23:05:47 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-07-02 16:58:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-29 22:41:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-29 22:41:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-29 22:41:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-27 23:05:47 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Upnp"= {DE01DA19-A6A8-EB80-4D47-248DEB2A9399} - c:\windows\system32\upnpsrv.dll [2004-08-04 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-10-03 22:59 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^demo^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\demo\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3PMmUpdate]
c:\windows\Update.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 18:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 13:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2005-10-03 23:03 356352 c:\program files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 14:57 221184 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-07-25 06:14 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
-ra------ 2003-08-20 13:15 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
-ra------ 2003-08-20 13:23 49152 c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-10-03 22:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-10-03 22:59 401408 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 13:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 13:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2004-04-11 17:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-19 23:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-01 10:37 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-01 10:19 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HBService32]
System.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Brother XP spl Service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"IDriverT"=3 (0x3)
"brmfrmps"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OwnershipProtocol"=2 (0x2)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dude\\dudes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 b71fe93;b71fe93;\??\c:\windows\system32\b71fe93.sys [2008-11-29 5504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c1227fb-af5d-11dc-bfaa-00123feb0953}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7200#CN41E3B0HZI5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]

2008-11-29 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 13:23]

2008-11-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{12316E69-4CE5-4CD7-A174-C0BD57529D5A} - 12316E69.dll
MSConfigStartUp-MPKrnl - c:\windows\MPKrnl.dll

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 15:10:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\IWPDGINA.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-29 15:12:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 23:12:21
ComboFix2.txt 2008-11-29 22:33:23
ComboFix3.txt 2008-11-29 05:55:32
ComboFix4.txt 2008-11-27 22:43:26
ComboFix5.txt 2008-11-29 23:02:00

Pre-Run: 2,443,898,880 bytes free
Post-Run: 2,435,678,208 bytes free

279 --- E O F --- 2008-11-13 23:46:28

i cannot find the C:\Qoobox\Quarantine\[4][email protected]_Time.zip or anything similar

computer runs smoothly except
1. explorer.exe doesn't work as i mentioned earlier
2. log in takes like 2 or 3 minutes after typing password

as of right now, the virus has not regenerated...

?

i will be running the online scan in a short while

brokencomputer · Nov 30, 2008

okay, i forgot to tell u that when the virus is active, the IEXPLORER.EXE process often appears

i tried to run internet explorer through c:\prog files\internet explorer\IEXPLORER.EXE

nothing happened

i renamed the IEXPLORER.EXE to IEXPLOR.EXE

i received two messages. i attached a screenshot of them

Did the virus alter the IEXPLORER.EXE file somehow???

fyi, my IEXPLOR.EXE (previously IEXPLORER.EXE) has a file size of like 91kb

brokencomputer · Nov 30, 2008

okay, i am certain that the virus has modified iexplore.exe
i was changing the name back, and then suddenly, a new iexplore.exe program randomly appeared (not as a process)
it also had a file size of 91kb

so i deleted them both and refreshed with F5, and again iexplore appeared; the virus seems to still be active

brokencomputer · Nov 30, 2008

Perflib_Perfdata files reappear in *username*\local settings\temp folder

i cannot decide whether these weird files are a result of system activity or virus activity

currently, i cannot access it b/c "it is being used by another process"

brokencomputer · Dec 1, 2008

... the virus broke out again... somehow

the occurance of the symptoms is very random...

brokencomputer · Dec 2, 2008

..............bump

brokencomputer · Dec 5, 2008

restart computer -> virus broke out again !!!
this time i saw a 981187.exe file in task manager

brokencomputer · Dec 5, 2008

still, i would like to know what to do with this virus because i have seen the exact same problem on another computer, and that computer will use windows xp for another few years. Hopefully this isn't a virus that has spread throughout my family's network.

Posts by brokencomputer

brokencomputer

Attachments

brokencomputer

brokencomputer

brokencomputer

brokencomputer

Attachments

brokencomputer

brokencomputer

Attachments

brokencomputer

brokencomputer

brokencomputer

brokencomputer

brokencomputer

brokencomputer

Top Contributors this Month